UK charity CALM hacked in 'senseless' attack

UK charity CALM says that its website was hacked and defaced on July 24th, in an attack that has been described as 'motiveless' and 'senseless'.

CALM, also known as the Campaign Against Living Miserably (CALM), is one of the up-and-coming charities in the UK, campaigning to prevent suicide among young and middle-aged men.

In an email to supporters on Tuesday, charity CEO Jane Powell confirmed the breach and said that the website is now back to normal.

“I am sorry to have to tell you that www.thecalmzone.net, was recently hacked and defaced. We became aware of this attack on July 24 2015.

“We have notified the ICO (Information Commissioners Office), the relevant law enforcement agency and resolved the vulnerability on our website and we are working with cyber-security experts, forensic examiners and legal counsel to ensure everything is being done to minimise the damage caused by this attack.”

Powell went onto say that the hack was “opportunistic” and carried out by hackers “who are known for random attacks on companies, attacks which appear to be destructive for the sake of it.”

“As a precaution we are monitoring the Internet for references to this incident.”

Crucially, however, the charity's most sensitive data - including webchats and personal emails and phone calls, is not believed to have been compromised as the charity either didn't collect this or it was held by a third-party. No financial details are believed to have been compromised.

Powell's email details that user names, email addresses, passwords and data entered onto the website may have been unlawfully accessed, as well as any information uploaded via the ‘Contact Us' form or ‘upload a story' feature.

The charity has advised its users to change their passwords immediately and be wary of any phishing emails relating to the incident, including messages which ask users to update or change their password. As a precaution, the charity will detail further information relating to the hack at https://www.thecalmzone.net/websitehack, and asks users who spot phishing emails to forward them onto phishing@thecalmzone.net before deleting from their inbox.

The method of attack has not been disclosed, although some suggest that the hacker may have exploited a WordPress vulnerability.

“I apologise wholeheartedly for this breach of security, but be assured that we are doing everything in our power to ensure that the damage is mitigated and that this doesn't happen again,” wrote Powell in the email. “I hope that you continue to support CALM, visit our website and make our campaign the vibrant and empowering organisation that it is.”

In a Facebook post, the group added that the website had returned to normal, but said that Facebook itself is continuing to block shared links to its website, presumably on the assumption that is still compromised. One of the error messages reads: "The content you're trying to share includes a link that our security systems detected to be unsafe."

“We cleaned, secured and reinstalled the CALM site immediately and got everything back up and running as quickly as we could to minimise disruption to the site and it's visitors,” reads the group's Facebook post.

“However, because of this attack, Facebook has blocked the use of links to our site. We have contacted Facebook about this issue, and have made it clear that our site is perfectly safe and restored to normality.

“Please be reassured that our website is NOT unsafe, and we have done all we can to maximise security on the site to protect it from any future attacks. If you are willing to report the block to Facebook, requesting its removal ASAP, that would be appreciated. Thanks for your patience and understanding.”

SCMagazineUK.com spoke to the charity yesterday, where a spokeswomen confirmed that start-up Give01Day had helped with the clean-up operation.

Rachel Clare, communication director, told SC: “We have been very thankful for the support received from Give01Day – they are an amazing resource for a charity of our size. Whilst we can't say for sure exactly what data was compromised, it looks from the forensic reports like this was a totally random attack from a hacker who was known to hack hundreds of sites daily, with no apparent motive. The defacement itself just announced that the site had been hacked with reference to the tag of the hacker and the hack group they adhered to.

“We were lucky in that there were no links to inappropriate videos or links as per some attacks of this nature, and the damage done to the site itself seems to be thankfully minimal."

Amar Singh, CEO of Give01Day, later told SC that CALM had found out about the start-up's work through an article on The Guardian. His team of volunteers helped out with incident response, over the phone, during the course of two days.

“We helped out from an incident response side. We got four volunteers involved on the same day they called us, and we offered guidance and advice.” The group also helped the charity in communicating the issue to its supporters.

On the attack, Singh added: “I would call it a senseless, zero-motivation attack. Hackers should give charities a pass - Why are they attacking a charity that is trying to do good stuff?”

The charity, which has around 5,000 supporters and with patrons including rapper Professor Green, runs its own help line, magazine and fundraising events. Suicide remains the biggest killer of men between the ages of 20 to 45 in the UK.